Category Archives: Privacy

In the last 48 hours, age became a hot topic on Facebook, thanks to Microsoft How-Old.net free age-guessing online tool. It proves age is still a contentious topic, regardless gender, race and obviously age. A marvellous marketing gimmick!

As it always happens, once a story caught fire, a few risk aversive or investigating minds start to dig deeper and uncover an inconvenient truth — the terms of this service authorise Microsoft to use user photos more than just age-guessing. Exactly what are the future uses are unknown!

Working in cloud computing and outsourcing for the last 5 years, it is not unusual to see such user terms and conditions. Most of them are crafted in a way that almost all risks are excluded from the service provider liability. The legal counsels are paid to read all reported and unreported court cases and protect company like Microsoft in this case.

The basic assumptions of data privacy protection is in question here and this case offered a chance to review it.

Consent from user is enough?

For How-Old.net, clearly the intention of user uploading the photo is to find out the age and gender. User don’t expect it to tell if you have diabetes or your sexualities (it maybe possible with enough data points !). However, the service provider terms open to possibility of others uses of the photo, without specifying what it will be. Service providers are giving themselves some elbow room for future innovations. This is actually a typical way how commercial terms response to data privacy legislations.

Most data privacy law requires informed and specific uses of personal data. The rationale is as long as users consent with the uses of PII, there is NO violation of data privacy law. However, we have seen software or web services terms tries to include extensive scope of uses and sometimes non-restrictive uses. Users are either lured to give consent or just ignore the terms completely. User gives consents rather spontaneously !

For those like to read the legal terms , extracted here.

However, by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services.

As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!

When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors. Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.

2015 Cyber Security Predictions

Healthcare will see a substantial increase of data stealing attack campaigns

Exploit mitigations reduce the number of useful vulnerabilities

Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware.

More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.

Attacks on the Internet of Things will focus on business use cases, not consumer products

Internet of Things attacks move from proof-of-concept to mainstream risks

Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts.

There will be bolder hacking attempts as cyber activity increases.

Credit card thieves will morph into information dealers

Encryption becomes standard, but not everyone is happy about it

Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency.

An exploit kit that specifically targets Android users will surface.

Authentication consolidation on the phone will trigger data-specific exploits, but not for stealing data on the phone

More major flaws in widely-used software that had escaped notice by the security industry over the past 15 years

As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms.

Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards.

Bugs in open source apps will continue to be exploited.

Email threats will take on a new level of sophistication and evasiveness

Attackers increase focus on mobile payment systems, but stick more to traditional payment fraud for a while

Lack of adequate response could result in a major brand going out of business

New mobile payment methods will introduce new threats.

As companies increase access to cloud and social media tools, command and control instructions will increasingly be hosted on legitimate sites

From a security and risk management point of view, a central or using the author’s words “the powers that have traditionally controlled those transactions” provides assurance on quality of service, security and privacy protections. However, with new technologies most of this assurance features could be delivered by software.

ISO 29100:2011 Privacy Framework is now a public available document and it offers a comprehensive framework. Hong Kong and Singapore Gov both enacted privacy regulations, I compare both regions’ privacy protection requirements with ISO29100. Below is a summary table. Will write more on each comparison later.

ISO 29001:2011 Eleven Privacy Principles

Singapore Nine Data Privacy Obligations

Hong Kong Six Data Protection Principles

Clause 5.2 Consent and choice

The Consent Obligation (PDPA sections 13 to 17): An organisation must obtain the consent of the individual before collecting, using or disclosing his personal data for a purpose.

DPP3: unless the data subject has given prior consent, personal data shall be used for the purpose for which they were originally collected or a directly related purpose.

Clause 5.3 Purpose legitimacy and specification

The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.

Clause 5.4 Collection Limitation

The Purpose Limitation Obligation (PDPA section 18): An organisation may collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.

DPP1: personal data shall be collected for a purpose directly related to a function and activity of the data user; lawful and fair collection of adequate data; data subjects shall be informed of the purpose for which the data are collected and to be used.

Clause 5.5 Data minimization

No direct equivalent requirement

No direct equivalent requirement

Clause 5.6 Use, retention and disclosure limitation

The Retention Limitation Obligation (PDPA section 25): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data, and (ii) retention is no longer necessary for legal or business purposes.

DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.

Clause 5.6 Use, retention and disclosure limitation

The Transfer Limitation Obligation (refer to PDPA section 26): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with the requirements prescribed under the PDPA.

“Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances” is in legislation but not yet in operation

Clauses 5.7 Accuracy and quality

The Accuracy Obligation (PDPA section 23): An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete if the personal data is likely to be used by the organisation to make a decision that affects the individual concerned or disclosed by the organisation to another organisation.

DPP2: all practicable steps shall be taken to ensure the accuracy of personal data; data shall be deleted upon fulfillment of the purpose for which the data are used.

Clause 5.8 Opennes, transparency and notice

The Notification Obligation (PDPA section 20): An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the personal data.

Clause 5.8 Opennes, transparency and notice

i) The Openness Obligation (refer to PDPA sections 11 and 12): An organisation must implement the necessary policies and procedures in order to meet its obligations under the PDPA and shall make information about its policies and procedures publicly available.

DPP5: formulates and provides policies and practices in relation to personal data.

Clause 5.9 Individual participation and access

d) The Access and Correction Obligation (PDPA sections 21 and 22): An organisation must, upon request, (i) provide an individual with his or her personal data in the possession or under the control of the organisation and information about the ways in which the personal data may have been used or disclosed during the past year; and (ii) correct an error or omission in an individual’s personal data that is in the possession or under the control of the organisation.

DPP6: individuals have rights of access to and correction of their personal data. Data users should comply with data access or data correction request within the time limit, unless reasons for rejection prescribed in the Ordinance are applicable.

Clauses 5.10 Accountability (include data breach notification)

No direct equivalent requirement

No direct equivalent requirement

Clause 5.11 Information Security

f) The Protection Obligation (PDPA section 24): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

DPP4: all practicable steps shall be taken to ensure that personal data are protected against unauthorized or accidental access, processing or erasure.

Last May, in ISO SC27 meeting held at Sophia Antipolis. WG5 Identity Management and Privacy Technologies voted to make ISO 29100 Privacy framework a public document. After JTC 1 Plenary endorsement in November 2013 meeting, the standard is now available at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html (search for 29100). Another document are listed is ISO 27000 Information security management systems — Overview and vocabulary.

For most people in the IT security industry, the relationship between owner, processor and user of PII is confusing. Table I in ISO 29100 provides a clear and user friendly way to understand their relationships.

Note from 2016 SC27WG5 meetings : A new edition on improving consistency and language is planned. New version shall be ready next year.

When capturing and storing technology are so cheap, it is tempting for Gov to store everything. In this case, car plate images.

I guess car rental business has another marketing theme to explore! Soon we will see computer rental and mobile phone rental. When trust is gone, people are willing to try extreme measures.

There is a book offers a critical review on the abundance of surveillance technology.

Critical Issues in Crime and Society : Surveillance in the Time of Insecurity.New Brunswick, NJ, USA: Rutgers University Press

You are being tracked. How license plate readers are being used to record Americans’ movements(ACLU, July 2013) – A little noticed surveillance technology, designed to track the movements of every passing driver, is fast proliferating on America’s streets. Automatic license plate readers, mounted on police cars or on objects like road signs and bridges, use small, high-speed cameras to photograph thousands of plates per minute. The information captured by the readers – including the license plate number, and the date, time, and location of every scan – is being collected and sometimes pooled into regional sharing systems. As a result, enormous databases of innocent motorists’ location information are growing rapidly. This information is often retained for years or even indefinitely, with few or no restrictions to protect privacy rights.

I talked about browser based security last week. As we have more and more cloud or web delivered applications, the browser is playing an important role. Most (if not all) user interaction in browser are programmed via javascript. With Cloud Computing, client side script will be playing a ever more important role.

The data security and data privacy concerns on using cloud services or hosted application (like web email) is holding people. The incident in Paula Broadwell showed law enforcement agents had far move power and means to access individual data than we think of. If you like to understand the legal framework on this, there is a very good paper wrote by three Netherlands legal researcher.

One way, user could protect their data ever if it in the cloud is using client side encryption. Why client side? It is because the data must be protected before it is going to the Internet. This means that data are encrypted at the client and the servers only store encrypted data. When the user want to use it, the servers send the encrypted data and the client decrypt it. As most user are access the internet using a browser, it it an obvious choice for doing the data encrypt/decrypt job. However, cryptography functions are not well developed in the javascript domain. There are some open source editions like Google-CryptoJS.